-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsysctl.conf
169 lines (149 loc) · 6.38 KB
/
sysctl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
## My custom sysctl ##
# I recommend that in your rc.local, you add `sysctl -p` so that they are for sure applied at boot
# These settings control the following:
# When dirty pages are writen
# No swap
# How quickly to write after storing to memory
# Use as much memory as we can and allow for large maps
vm.dirty_background_ratio = 3
vm.dirty_ratio = 7
vm.swappiness = 0
vm.dirty_expire_centisecs = 300
vm.dirty_writeback_centisecs = 100
vm.overcommit_memory = 1
vm.min_free_kbytes = 5937862
vm.vfs_cache_pressure = 10000
#vm.pagecache = 5
vm.page-cluster = 16
vm.max_map_count = 327650
vm.stat_interval = 10
# Assign time to a single core for management
kernel.timer_migration = 0
kernel.sched_rt_runtime_us = -1
kernel.hung_task_check_count = 1
#kernel.softlockup_thresh = -1
# In crease # of open files
fs.file-max = 3100000
fs.nr_open = 3100000
# The kernel.shmax parameter defines the maximum size in bytes for a shared memory segment. The kernel.shmall parameter sets the total amount of shared memory in pages that can be used at one time on the system. Set the value of both of these parameters to the amount physical memory on the machine. Specify the value as a decimal number of bytes.
# It is recommended to set the SHMMAX value to be equal to the amount of physical memory on your system.
# The kernel parameter sem consists of four tokens, SEMMSL, SEMMNS, SEMOPM, and SEMMNI. SEMMNS is the result of SEMMSL multiplied by SEMMNI.
# command to see current settings - `ipcs -l`
# 192Gb mem = 206158430208 bytes in base 2 - https://www.gbmb.org/ <--convert bytes/Gb/Mb
# ----
# sysctl settings | Defaults/min values/how to calculate
# kernel.shmmni (SHMMNI) 256 * <size of RAM in GB>
# kernel.shmmax (SHMMAX) <size of RAM in bytes>
# kernel.shmall (SHMALL) 2 * <size of RAM in the default system page size>
# kernel.sem (SEMMNI) 256 * <size of RAM in GB>
# kernel.sem (SEMMSL) 250
# kernel.sem (SEMMNS) 256000
# kernel.sem (SEMOPM) 32
# #kernel.sem=<SEMMSL> <SEMMNS> <SEMOPM> <SEMMNI>
# kernel.msgmni (MSGMNI) 1024 * <size of RAM in GB>
# kernel.msgmax (MSGMAX) 65536
# kernel.msgmnb (MSGMNB) 65536
# ---
# Since a semaphore set can have the maximum number of SEMMSL semaphores per semaphore set, it is often recommended to set SEMOPM equal to SEMMSL. As well as settings SEMMSL equal to SEMMNI.
kernel.shmall = 206158430208
kernel.shmmax = 206158430208
#kernel.shmmni = 49152
#kernel.sem = 49152 2415919104 49152 49152
#kernel.msgmni = 196608
kernel.msgmax = 65536
kernel.msgmnb = 65536
# Network performance tweeks
# Some can help against DDOS attacks
# Decreased timeouts to close unused connections faster
# Increase caches/backlogs to improve network IO performance
# Use cake and bbr for network control features for improved performance
# Disabled ICMP replies. There are more ways below to block ICMP that are commented out
# Fuck ipv6, turned it off to avoid fighting issues
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_sack = 0
net.ipv4.tcp_dsack = 0
net.ipv4.tcp_fack = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_rfc1337 = 1
net.ipv4.conf.all.arp_ignore = 1
net.core.optmem_max = 65535
net.core.somaxconn = 32768
net.core.netdev_max_backlog = 32768
net.ipv4.tcp_max_syn_backlog = 32768
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.core.default_qdisc = cake
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_low_latency = 1
net.ipv4.tcp_adv_win_scale = -2
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_mtu_probing = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.nf_conntrack_max = 65535
net.netfilter.nf_conntrack_tcp_timeout_established = 120
net.netfilter.nf_conntrack_tcp_max_retrans = 3
net.netfilter.nf_conntrack_tcp_timeout_close = 5
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 5
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 5
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_time = 120
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
# DIE ipv6!!!
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
net.ipv4.route.flush = 1
net.ipv4.tcp_max_orphans = 32768
# ICMP blocking requests and redirecting icmp requests
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv4.conf.default.accept_redirects = 0
#net.ipv4.conf.all.secure_redirects = 0
#net.ipv4.conf.default.secure_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
#net.ipv6.conf.default.accept_redirects = 0
#net.ipv4.conf.all.send_redirects = 0
#net.ipv4.conf.default.send_redirects = 0
# UFW - NOT A ROUTER
net.ipv4.ip_forward=0
#net/ipv6/conf/default/forwarding=0
#net/ipv6/conf/all/forwarding=0
# If the server might have 200 clients simultaneously, then:
# max(tcp_wmem) * 2 * 200 / 4096
# To estimate the number of simultaneously connected clients, use your blockchain
# config.toml settings for number of inbound connections. Take the sum of all
# configs for nodes on the same server.
# Example: Default is 40. If you have 10 nodes running at these
# defaults, -> 10*40=400 possible simultaneously connections. I would add 5%-10% extra
# to account for house keeping and other possible connections for other services in use.
net.ipv4.tcp_mem = 6553600 6553600 6553600
## The MAX settings below are set to the max of 16MB in bytes in base 2
## --------------------------------------------------------------------
# Increase the read-buffer space allocatable
# Default: tcp_rmem=4096 87380 6291456, udp_rmem_min=4096, rmem_default=212992, rmem_max=212992
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384
net.core.rmem_default = 16777216
net.core.rmem_max = 16777216
# Increase the write-buffer-space allocatable
# Default: tcp_wmem=4096 16384 4194304, udp_wmem_min=4096, wmem_default=212992, wmem_max=212992
net.ipv4.tcp_wmem = 8192 87380 16777216
net.ipv4.udp_wmem_min = 16384
net.core.wmem_default = 16777216
net.core.wmem_max = 16777216
# Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
# Default: ipfrag_low_thresh=3145728, ipfrag_high_thresh=4194304
#net.ipv4.ipfrag_low_thresh = 4194304
#net.ipv6.ip6frag_low_thresh = 196608
#net.ipv4.ipfrag_high_thresh = 2097152
#net.ipv6.ip6frag_high_thresh = 262144